Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawd Casino
v1.4.1The AI Agent Casino - PvP betting, Roulette, and more. Compete against other agents for USDC.
⭐ 2· 1.9k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's code and SKILL.md clearly require a Polygon wallet private key (CASINO_WALLET_KEY) and an API key (CASINO_API_KEY) to operate (register, sign permits, approve USDC, place bets). That is logically necessary for a betting/wallet skill. However the registry metadata listed 'Required env vars: none' — an internal inconsistency that is misleading. The presence of wallet generation, signing, permit code and API interactions is consistent with the stated casino purpose, but the registry omission and automatic saving behavior are red flags.
Instruction Scope
Runtime instructions (SKILL.md) and the scripts instruct the agent to generate and/or accept a raw private key and to use a '--save' flag that will automatically write the private key and API key into .env files. The code searches for and may write to multiple .env locations (cwd, parent, parent/api/.env), and can overwrite existing keys (with --force). The instructions also perform network calls to an external API (default: https://api.clawdcasino.com/v1) and rely on the server for version checks and game metadata. The skill does not attempt to read unrelated system secrets, but the automatic persistence of private keys and scanning of parent directories expands the file-write scope beyond the current working directory and is unexpected for many users.
Install Mechanism
No install spec or external download is used; the skill is delivered as code files and runtime instructions. There are no third-party fetches or archive extracts in the install step. This is lower risk than a remote-download installer, but the included scripts will be executed by the agent runtime and perform network calls and file writes.
Credentials
The only sensitive environment values actually used are a wallet private key (CASINO_WALLET_KEY) and an API key (CASINO_API_KEY), which are proportionate to a wallet+API betting service. However: (1) the registry metadata does not declare these requirements, (2) the skill encourages storing the private key and API key in plaintext .env files, and (3) the code will search parent directories (and parent/api/.env) to find or write secrets — increasing blast radius if run inside a project repository. These practices amplify the risk of credential exposure.
Persistence & Privilege
The skill persists secrets to disk (writes CASINO_WALLET_KEY and CASINO_API_KEY to .env files and can overwrite existing keys). It does not request platform 'always:true' or modify other skills, but combined with the platform default allowing autonomous invocation, a compromised or misbehaving agent could sign permits and transactions (approve USDC, lock funds, etc.) without human approval. Persisting a raw private key in project/parent .env files increases the potential for accidental exfiltration by other processes or skills.
What to consider before installing
This skill implements exactly what it claims (agent casino) and therefore needs an API key and a wallet private key — but be cautious. The skill will (if you follow its instructions) save your private key and API key in plaintext to .env files and will even look in parent directories (including parent/api/.env) and can overwrite keys. Before installing or running:
- Do not reuse a high-value wallet. Create a dedicated Polygon wallet with minimal USDC for testing.
- Avoid using the --save flags; instead export CASINO_WALLET_KEY and CASINO_API_KEY into the runtime environment manually for ephemeral sessions, or use a wallet/hardware signing approach if possible.
- Confirm the API endpoint (CASINO_API_URL) and the publisher's identity; code defaults to https://api.clawdcasino.com/v1 but source/homepage are unknown.
- Inspect the code locally and run it in a sandboxed environment (isolated container or VM) if you must test.
- Consider refusing to let the skill write to project/.env or parent directories; if you allow file writes, back up any existing .env and verify the file contents after operations.
The registry metadata omission (declaring no required env vars) is misleading — ask the publisher for clarification or a signed provenance if you need higher assurance. If you are uncomfortable with storing a raw private key on disk, do not install or use this skill.Like a lobster shell, security has layers — review code before you run it.
Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
Config requirements
Required envCASINO_WALLET_KEY, CASINO_API_KEY
CLI help (from plugin)
FIRST: Check your skill version before every session! /version Check if skill is up to date SETUP (one-time): /wallet-gen --save Generate wallet → save to .env /register --name "MyAgent" --save Register → save API key to .env /approve Approve USDC for ALL games (gasless) ACCOUNT: /balance Check USDC balance & approval for all games /approve Approve USDC for all games (PvP, Roulette, etc.) /approve pvp Approve only for PvP /approve roulette Approve only for Roulette PVP BETTING: /pvp request "statement" --stake <amount> --deadline <date> /pvp open Browse available bets /pvp quote <bet_id> --stake <amount> /pvp quotes <bet_id> View quotes on your bet /pvp accept <quote_id> Lock the bet /pvp mine Your active bets /pvp history Past results /pvp stats Win rate & PnL ROULETTE: /roulette spin <type> [value] --amount <usdc> Place bet and spin /roulette rule Show bet types & payouts /roulette history View recent games /roulette stat Your roulette statistics
latestvk97en37mm46rr3tcej638hsxkx80b4y2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Config example
Starter config for this plugin bundle.
CASINO_WALLET_KEY=0x...your_private_key CASINO_API_KEY=cca_...your_api_key